diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2006-09-15 19:05:03 +0000 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2006-09-15 19:05:03 +0000 |
| commit | cf7af137c07bbd2185f6c449d999cad67c3ec963 (patch) | |
| tree | b9d55da6a917657e00b3ba4dfc0c8730a533fa9e /policy/mls | |
| parent | 2b571d6880def442476fa2196f469c9eab2daa93 (diff) | |
add mls fd constraints
Diffstat (limited to 'policy/mls')
| -rw-r--r-- | policy/mls | 14 |
1 files changed, 9 insertions, 5 deletions
@@ -344,11 +344,15 @@ mlsconstrain msg send # MLS policy for the fd class # -# these access vectors have no MLS restrictions -# fd use - - - +# No sharing of open file descriptors between levels unless +# the process type is authorized to use fds created by +# other levels (mlsfduse) or the fd type is authorized to +# shared among levels (mlsfdshare). +mlsconstrain fd use ( + l1 eq l2 + or t1 == mlsfduse + or t2 == mlsfdshare +); # # MLS policy for the network object classes |